Hi All,
During the internal vulnerability assessment audit, we found out the banner from Jetty is exposing.
Server: Jetty/4.2.9 (Windows Vista/6.1 amd64 java/1.5.0_11)
How can I disable this?
Meantime I will continue to search for answers.
Thank you.
Regards,
Tai Li
Hi All,
I have found the solution for Jetty 4.2.x.
Edit \<DLC>\fathom.init.params and append the following line to the end of the page,
org.mortbay.http.Version.paranoid=true
Restart AdminService.
PS: Credit to the friends in Jetty mailing list - http://dev.eclipse.org/mhonarc/lists/jetty-users/msg07012.html.
Thank you.
Regards,
Tai Li
I'm looking at solution where only modification to Jetty XML file is enough. (Example: http://attenuated-perspicacity.blogspot.sg/2009/09/jetty-61x-hardening.html) I believe OE Explorer have its own unique way to implement this. Most of the solutions I found online requires coding.
Hi Rohit,
Actually is my client. They are using OE10.2B. It is the Jetty server header banner that I'm referring to. You can try the method as shown in this link (http://niiconsulting.com/checkmate/2012/10/disable-iis-7-5-banner-version/). There is no issue with the OE Explorer nor the Jetty. Is just that my client wanted to harden their server.
PS: How do I move this thread?
Thank you.
Regards,
Tai Li
We will check with the Security Architect on this and let you know.
sendServerVersion option is not available in Jetty 4, it's been added in later releases, so one option would be to ugprade
Thank you, [mention:63409131e05f4d26a2beabb24e150ff7:e9ed411860ed4f2ba0265705b8793d05].
Hi [mention:44a028c96ca44788b729e5185220e84a:e9ed411860ed4f2ba0265705b8793d05], I believe sendServerVersion you've mentioned is used in coding. Does Jetty 4 have this similar option in XML configuration file? Thank you.
Regards,
Tai Li
For any parameter you might put into xml file, there has to be a server part to process it and accordingly. I was trying to say that Jetty 4 does not have the option to mask server version.
Using Progress example - you can have a .pf file with -ignoreerrors , but unless the client (prowin32) that uses/reads that .pf knows what to do about it, nothing will happen.
Hi [mention:44a028c96ca44788b729e5185220e84a:e9ed411860ed4f2ba0265705b8793d05], I understand. Thank you so much!
Hi All,
I have found the solution for Jetty 4.2.x.
Edit \<DLC>\fathom.init.params and append the following line to the end of the page,
org.mortbay.http.Version.paranoid=true
Restart AdminService.
PS: Credit to the friends in Jetty mailing list - http://dev.eclipse.org/mhonarc/lists/jetty-users/msg07012.html.
Thank you.
Regards,
Tai Li